Cisco Knowledge Network

Cisco Container Networking Overview and Roadmap

Nov 2017

Phil Lowden, Consulting Systems Engineer

What Is A Container?

Virtual Machine

Container

Containers vs VMs

Containers Virtual Machines

Shared resources Isolated resources

Lighter weight Full OS + application

Faster installation Several minutes to boot

No hypervisor Hypervisor-based

Linux and Windows No underlying OS

Microservices Monolithic

Why: New Application Architectures

microservices

monolithic apps

Monolithic Apps Cloud Native Apps

server / hypervisor server clusters, containers

dependencies easy upgrade

stateful microservices

waterfall development agile devops teams

Linux Containers

• .Group of processes on a Linux machine

• Isolated environment

• Linux system within another Linux system

• Inside the container, it looks like a VM

• Outside the container, it looks like normal processes running on the machine

Zones

7

Industry trends

What Is Docker?

What is Docker?

Docker is a software technology providing containers, promoted by the company Docker, Inc. Docker provides an additional layer of abstraction and automation of operating-system-level virtualization on Windows and Linux.

[Source: Wikipedia]

Docker is an open platform that helps companies build, ship and run their applications anywhere.

[Source: Docker, Inc]

Virtualization Technologies ComparisonDocker provides a unified access to:– Linux container technology (cgroups, namespaces)

– Various container implementations (lxc, libvirt, libcontainer, etc.)

‘libcontainer’ is Docker’s implementation of container technology

Why Docker Containers?

• Standardization of the container format

• Development of an ecosystem for sharing containers

Dockerhub

• Sign up for an account on dockerhub• Public repository of Docker images

• https://hub.docker.com/• docker search [term]

Docker+Cisco Partnership

+Stronger TogetherOpen Source community and technology partners to build solutions

Joint Engineering,Sales and Marketing

Docker Datacenter On FlexPod CVD

ContivNetwork Plugin

Docker Datacenter On Cisco UCS

What Is Docker Networking?

Docker Networking Architecture

Docker Engine

Service Discovery

Load Balancing

IP Address Mgmt(IPAM)

Remote Drivers

(Contiv, Calico, Weave)

Native Drivers(bridge, overlay, MACVLAN, IPVLAN)

Libnetwork(CNM)

API

Docker networking: single host versus multi host

VxLAN Overlay 10.0.0.0/24

Docker Engine Docker EngineDocker Engine

10.85.138.1010.85.138.10 10.85.138.11

Bridge(Docker0) Bridge(Docker0)

Docker Networking: MACVLAN Driver

Docker Engine

eth0

Eth0.100 Eth0.200

Existing network

VLAN 200192.168.128.0/24

VLAN 200192.168.129.0/24

VLAN 200192.168.129.10/24

VLAN 200192.168.128.10/24

What Is Contiv?

100% Open SourceThe Most Powerful Container Networking Fabric

L2, L3, Overlay or ACIRich Policy Model

DevOps IT Admin

Any NetworkingAny Platform

Any Infrastructure

Application Intent

Rich Policy

Connectivity

ACI integration

Container,VM,BM

LDAP/RBAC

What is Contiv

Production-Grade Network and Security Policies

Multi-Tenant, Multi-Host Network Connectivity

Network Security and Isolation

(White/Black List Rules)

Traffic Prioritization and Bandwidth Allocation

Network Monitoring (Live Connectivity Graphs and Stats)

Integration with External Network

(Cloud | Nexus | Cisco ACI)

Micro-Services Load Balancing

Integrated IPAM, Service Discovery

Performance and Scale

Available at https://github.com/contiv/netplugin

Contiv Integration with Cisco Products

Application-Centric Infrastructure (ACI)• Containers integrated with APIC policies

• Physical services integration

Nexus Standalone or Any Network• BGP interop (standard routing protocol)

• EVPN-based multi-tenancy and automation

Unified Compute Systems: B and C Series• Leveraging vNICs for control, data, management, and storage traffic

• Offload encapsulation function

Contiv Leverages Underlying Infrastructure Capabilities for Applications

Cisco Container Solutions

Cisco Integrated Infrastructure for Containers

Container and Microservices Solutions on Cisco UCS Integrated InfrastructureContainer and Microservices Solutions on Cisco UCS Integrated Infrastructure

Cisco UCS with Cisco UCS with Docker Datacenter 1.x

FlexPod with Docker Datacenter 2.x

FlexPod with Docker Datacenter 2.x

NetApp Docker Vol Plugin

Enterprise Ready

Design choices

Scalable Architecture

Jointly Engineered

Delivered by Partners

Cisco Container Solutions

• Infinite Video

• Mobile Evolved Packet Core (EPC)

• OpenStack Network Function Virtualization Infrastructure (NFVi) aka Project Mercury)

• Lindt (open network operating system)

• Virtual Managed Services (VMS)

• Digital Network Architecture Center (DNA-C) open, programmable architecture

• Installation Containers

© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Public

ContainerScheduler

UI to Manage/Monitor Policies/Usage

Policy Enforcement in ACI fabric

Host based networking managed by Contiv

Policy created in Contivpushed to APIC

Node 1 Node 2 Node-n

CCN Distributed Policy Layer

...

Project Contiv and ACI

OperationsDevelopers

Contiv Enables Policy Based Distributed Container Networking

Available as Open Source

Project Contiv

• Provides policy-based container networking

• Multiple deployment options including overlay, L3, and ACI

• Integrates with multiple orchestration tools

• Support option to be made available from Cisco

• Learn more:• https://github.com/contiv

ACI + Kubernetes Integration

Docker Host (Linux)OVS

APIC Kubernetes Plugins

OpFlex Agent

OpFlex Proxy

Kubernetes Master

CNI Plugin

• APIC GUI integration / VMM Domain specifically designed for Kubernetes

• Visibililty / statistics / health metrics for containers

• OVS + OpFlex provides Docker host datapath

• Flexible mapping of Kubernetes into ACI policies

• Container teams set Kubernetes network policies

• Network team retains control of ACI policies for EPGs / contracts

• Distributed load balancing

• Symmetric PBR in ACI fabric for north south LB

• OVS + OpFlex for distributed east-west LB

ACI + Kubernetes Integration

KubernetesKubernetes is open source container mobility among on-premises, hybrid, or public cloud (“multicloud”) infrastructure, letting you effortlessly move workloads to where it matters to you

Solution Support for Contiv Open-source

• Our customers can rely on us to keep their container networking fabric environments operating

• Fewer physical network devices to manage and operate

• Easier to manage container networking services on demand

• Container automation of security and application policies

How We Help

• Container Networking Fabric

• Virtual Network Per Tenant

• Segment Per Microservice

• Network-based Service Routing

• Security Policies

Engineer Expertise

• Solution Support Service for Cisco Contiv Open-source

• Embedded Basic Support with Cisco Smart Account entitlement

• Supports container networking fabric interoperability from solution partners

What’s Unique

Service Provider Use Cases

Flexible Connectivity to Place Containers Anywhere

Native Connectivity

Infra Policy: [ Bridged | Routed ]

VLAN | IP (BGP) Handoff to Access Node

APP1 APP2APP3 APP4

Host-1 Host-n

.…

Overlay Connectivity

Infra Policy: [ Overlay ] [ Bridge | Routed ]

Overlays for Inter-Container Traffic

APP1 APP2APP3 APP4

Host-1 Host-n

.…

Any Network Topology and Container Visibility Across Physical Network

Use Case:Private Cloud

Use Case:Private CloudPublic Cloud

Scalable, Secure Microservices Deployments

Microservices Isolated Within the Network

Micro-ServiceWeb

Group

AppGroup

DB Group

Allow Grouping of Containers/Pods

1

Specify Policies Between Groups or from Outside the Network

2

Ability to Provide Granular Micro-Service Security in a Scalable Way

Ability to Support Many Secure Tenants with Individual Policies or Overlapping IP

Multi-TenancySeparation of Policy/Network

Tenant 210.1.1.0/24

Tenant 310.1.1.0/24Tenant 1

10.1.1.0/24

Telemetry and Monitoring

Svc1, Web

Svc1, App

Svc1, Db

Svc2, Web

Svc3, Ux

Live Application Connectivity Graph

Ability to Troubleshoot Micro-Service Application

Roadmap

Cisco and Google: Best of Both Worlds

Networking and Security

Private Cloud Infrastructure

Multicloud Management

Enterprise Class Sales and Support

Cloud Services

Microservices / Containers

API Gateway for Existing Services

Developer Community

Oct 2017: Cisco’s hyper-converged platform, Cisco HyperFlex, will provide a

cloud-ready solution for Kubernetes and containers, and management tools

to enforce security and consumption policies (Q2CY18).

Harmony Kubernetes Architecture

K8s master 1K8s master 1 K8s master nK8s master n

K8s NodeK8s Node K8s NodeK8s Node K8s NodeK8s Node

Persistent Storage

Overlay Network

SecureCommunication

Load Balancer

Load Balancer

Storage External Network

External Communication

HyperFlex IAAS/Storage

Kubernetes

AuthN and AuthZAuthN and AuthZKubernetes Lifecycle ManagementKubernetes Lifecycle Management Monitoring / LoggingMonitoring / Logging

Nexus 9000 Container-based ISSU

• Software runs inside separate Linux container (LXC) for the supervisor and linecard

• A third container is created as part of the ISSU procedure and is brought up as a standby supervisor

• During enhanced ISSU: control plane downtime is < 3-5 seconds. No data plane traffic disruption

• Requires 16G memory on switch• Requires switch reload when enabling enhanced ISSU for the

first time• The supervisor is upgraded first, then linecard is upgraded